b'  DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n\n                DHS Must Address\n            Internet Protocol Version 6\n                    Challenges\n\n\n\n\nOIG-08-61                                 May 2008\n\x0c                                                               Office of Inspector General\n\n                                                               U.S. Department of Homeland Security\n                                                               Washington, DC 20528\n\n\n\n\n                                      May 28, 2008\n\n\nMEMORANDUM FOR:               Elaine Duke\n                              Deputy Under Secretary for Management\n\n\nFROM:                         Richard L. Skinner\n                              Inspector General\n\nSUBJECT:                      DHS Must Address Internet Protocol Version 6 Challenges,\n                              OIG-08-61\n\nWe evaluated the Department of Homeland Security\xe2\x80\x99s (DHS\xe2\x80\x99) transition to Internet Protocol\nVersion 6 (IPv6). The Office of Management and Budget (OMB) requires federal agencies\nto demonstrate by June 2008, the capability to pass IPv6 traffic and support IPv6 addresses\nfrom the (1) Internet to their local area network; (2) their local area network to the Internet;\nand (3) their local area network to other local area networks. Our objective was to determine\nwhether DHS is effectively managing its implementation of IPv6.\n\nAlthough DHS has begun the early stages of implementing OMB\xe2\x80\x99s IPv6 transition\nrequirements, it is unlikely that the department will be positioned to take timely advantage of\nthe enhanced capabilities of IPv6 as IPv6-capable products and services become available.\nSpecifically, we recommend that DHS (1) complete an inventory of IPv6 applications and\ndevices; (2) finalize its IPv6 transition strategy; (3) provide guidance to its components and\noffices to plan for their IPv6 transition; and (4) better coordinate with the OneNet Steward.\n\nThe five recommendations herein have been developed to the best knowledge available to\nour office, and have been discussed in draft with those responsible for implementation. In\nresponse to our draft report, DHS concurred with our recommendations. DHS\xe2\x80\x99 response is\nsummarized and evaluated in the body of this report and included, in its entirety, as\nAppendix A.\n\nPlease advise our office within 90 days of the date of this memorandum of the progress in\nimplementing the recommendations. Your response, or action plan, should discuss the\nrelevant actions taken or planned, parties responsible, key milestones, and other supporting\ninformation that demonstrates your progress.\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies\nof our report to appropriate congressional committees with oversight and appropriation\n\n\n\n             DHS Must Address Internet Protocol Version 6 Challenges\n\x0cresponsibility over the DHS. In addition, we will post a copy of the report on our website for\npublic dissemination.\n\nShould you have any questions, please call me, or your staff may contact Frank Deffer,\nAssistant Inspector General for IT Audits, at (202) 254-4100.\n\nBackground\nInternet Protocol (IP) includes the language and rules that computers use to transmit\ninformation (such as email and other data, voice communications, and video) over the\nIntranet and Internet. Devices that directly connect to the Internet need a unique IP address\nto identify where information originates and its destination. The existing protocol supporting\nthe Internet today\xe2\x80\x93Internet Protocol Version 4 (IPv4)\xe2\x80\x93supports 4.3 billion IP addresses,\nlimiting the number of devices that can be given a unique IP address to connect to the\nInternet. This cap has constrained the growth of the Internet worldwide and has limited the\nnumber of computers and other devices that can be connected to one another over the\nInternet. In addition, there are many security considerations when introducing emerging\ntechnology into a network. The United States Computer Emergency Response Team (US-\nCERT) warned in April 2005 that the unmanaged implementation of IPv6 increases security\nrisks to agencies\xe2\x80\x99 networks.\n\nOn August 2, 2005, OMB issued Memorandum 05-22 (M-05-22), Transition Planning for\nInternet Protocol Version 6 (IPv6), establishing the goal of transitioning federal agencies\xe2\x80\x99\nnetwork backbones to IPv6. The \xe2\x80\x9cbackbone\xe2\x80\x9d includes an agencies\xe2\x80\x99 wide area network\n(WAN) core up to its local area network point of demarcation. OMB requires that an\nagency\xe2\x80\x99s network backbone transmit both IPv4 and IPv6 traffic and that agencies perform\ntesting to verify its capability to pass both protocols simultaneously. To aid in transition\nplanning, OMB M-05-22 identified several key interim milestones and the following\nrequirements:\n\n   -   By November 15, 2005:\n       \xe2\x80\xa2 Identify an IPv6 agency lead;\n       \xe2\x80\xa2 Complete inventory of routers, switches, and hardware firewalls in network\n          backbone.\n\n   -   By February 28, 2006:\n       \xe2\x80\xa2 Develop a network backbone transition plan for IPv6;\n       \xe2\x80\xa2 Submit to OMB an IPv6 progress report.\n\n   -   By June 30, 2006:\n       \xe2\x80\xa2 Complete an inventory of applications and peripherals with dependencies on the\n          network backbone;\n       \xe2\x80\xa2 Complete an IPv6 transition impact analysis.\n\nIn July 2005, DHS assigned Customs and Border Protection (CBP) as the network steward to\nmaintain and operate DHS\xe2\x80\x99 unclassified WAN (DHS\xe2\x80\x99 network backbone), referred to as\n\n\n             DHS Must Address Internet Protocol Version 6 Challenges\n\n                                             2\n\x0cDHS OneNet. DHS has committed to consolidating its network infrastructure to OneNet to\nimprove network services between its components. DHS\xe2\x80\x99 goal is to ensure that OneNet will\nbe IPv6 capable by June 30, 2008.\n\nAdditional Preparation Needed For IPv6 Transition\nIn February 2004, DHS began its efforts to transition to IPv6. The Chief Information Officer\n(CIO) established the requirement that all new information technology acquisitions be IPv6\ncompliant. In July 2005, the CIO established an IPv6 program office to lead the department-\nwide transition effort. In May 2006, DHS conducted an inventory of Cisco routers and\nswitches that are IPv6 capable. However, this inventory did not include any hardware\nfirewalls or non-Cisco network devices. In August 2006, CBP, as the steward for DHS\xe2\x80\x99\nnetwork backbone, reserved a block of IPv6 addresses to satisfy DHS\xe2\x80\x99 anticipated growth\nover the next 10 years based on a projection by DHS OneNet\xe2\x80\x99s administrator. Finally, in\nMay 2007, DHS developed cost estimates to implement IPv6 on DHS OneNet.\n\nDespite these efforts, DHS faces additional challenges in transitioning to IPv6. DHS should\nbe further along in implementing its transition effort and completing the OMB interim\nmilestones. DHS must ensure that several key activities are completed before it can fully\ntransition to IPv6 functionality. Specifically, the department needs to (1) complete a\ncomprehensive inventory of all IPv6 applications and devices, including hardware firewalls;\n(2) finalize its IPv6 transition strategy; (3) engage its components on IPv6 transition planning\nand activities; and (4) better coordinate with CBP officials on DHS\xe2\x80\x99 IPv6 transition effort.\n\nA Complete Inventory of IPv6 Applications and Devices Is Essential\n\nDHS has not completed an inventory of routers, switches, and firewalls for its OneNet.\nFurther, DHS has not conducted an inventory of existing applications and other IPv6 devices.\nCombined, such an inventory would provide DHS with the ability to determine the controls\nand resources needed to mitigate the risks identified with the transition and assist the\ndepartment in developing a more accurate transition cost estimate.\n\nIn May 2006, DHS conducted a scan to identify its IPv6-capable network devices. DHS used\nan automated network discovery tool (Cisco Network Collector) at six major components to\nidentify Cisco devices that support IPv6. The components included in this assessment were\nCBP, the Federal Emergency Management Agency, Federal Law Enforcement Training\nCenter, Immigration and Customs Enforcement, Transportation Security Administration, and\nUnited States Coast Guard. This inventory did not include any hardware firewalls or non-\nCisco network devices. In addition, the inventory did not include all DHS components and\noffices. The results of this discovery were submitted to OMB in February 2007 as DHS\xe2\x80\x99\ninitial IPv6 inventory.\n\nOMB required agencies to complete their initial inventory (IPv6 routers, switches, and\nfirewalls) by November 15, 2005, and a second inventory (IPv6 applications and peripheral\ndevices) by June 30, 2006. Without a comprehensive inventory, DHS does not have the most\n\n\n\n             DHS Must Address Internet Protocol Version 6 Challenges\n\n                                             3\n\x0ccomplete and accurate information available to assess the risks associated with its IPv6\ntransition.\n\nIPv6 Transition Strategy Must Be Finalized\n\nIn January 2007, DHS drafted its initial transition plan that assigned IPv6 roles and\nresponsibilities, established interim milestones to meet OMB\xe2\x80\x99s June 2008 deadline, and\nestablished working groups to coordinate technical and implementation issues. However, the\nplan has not been updated or finalized. For example, the plan does not include a timeline for\nwhen the department will complete its transition to IPv6 on its network backbone; indicate\nwhen the department will deploy IPv6 functionality to its components; identify the transition\nmethod and testing strategy to ensure interoperability between IPv6 and IPv4; or incorporate\nIPv6 training requirements for key personnel. According to program officials, DHS is now\nin the process of finalizing its transition plan.\n\nA transition strategy is the first step to ensure that migration to IPv6 is done methodically and\nthat network security is not compromised. Before DHS can begin to deploy IPv6, the\ndepartment must finalize its IPv6 transition strategy. Completing key planning activities and\nidentifying the methods of transition early can mitigate risks and assist DHS in a successful\ntransition to IPv6. Further, lacking a transition strategy, DHS may incur additional expenses\nwith costly upgrades and compromise network security.\n\nGuidance Is Needed for Components\xe2\x80\x99 Transition to IPv6\n\nDHS has not provided any guidance to its components and offices to assist them in planning\nfor their transition. Further, DHS has not developed any IPv6-related security policies or\nestablished standard configurations for IPv6 devices. Also, DHS has not established a\nprocess to oversee the component\xe2\x80\x99s progress in migrating to IPv6. For example, DHS\xe2\x80\x99 draft\ntransition plan required components to submit (1) an inventory of their network devices and\napplications to the program office by October 2007, and (2) their respective transition plans\nby December 2007. However, the department has not enforced the requirements outlined in\nits transition plan. While several components have begun planning their own IPv6 activities,\nactions taken thus far are limited. For example, only CBP and the United States Secret\nService conducted an inventory of their IPv6-capable devices. CBP obtained contract\nsupport to develop its own transition planning documents. However, none of the components\nhave developed an impact analysis to evaluate the potential risks on their network\ninfrastructures during transition.\n\nAccording to DHS program officials, the department is only in the early stage of IPv6\ntransition and oversight responsibilities have not been established. Further, program officials\nindicated that there is little incentive for the department to move forward with only a few\napplications taking advantage of IPv6 features. Unless DHS involves its components in the\ndepartment\xe2\x80\x99s transition effort, DHS\xe2\x80\x99 migration to IPv6 may not be successful. Components\nthat migrate to IPv6 without specific guidelines may not align with DHS\xe2\x80\x99 IPv6 goals.\n\n\n\n\n              DHS Must Address Internet Protocol Version 6 Challenges\n\n                                             4\n\x0cBetter Coordination With the OneNet Steward Is Needed\n\nDHS has not coordinated effectively with its OneNet steward (CBP) to ensure that the\ndepartment\xe2\x80\x99s IPv6 transition is planned methodically. The lack of coordination has caused\nconfusion and duplicated planning efforts between DHS and CBP on several key decisions\nthat affect the department\xe2\x80\x99s transition to IPv6. DHS program officials indicated that they\nselected \xe2\x80\x9cdual-stack\xe2\x80\x9d as the department\xe2\x80\x99s transition method to IPv6. According to CBP\npersonnel, the transition method could not be determined until testing was conducted.\nTesting is needed to evaluate whether the method selected would compromise security and\nbe compatible with DHS OneNet. Finally, CBP personnel indicated that IPv6 program\nofficials had yet to share the most current version of the transition plan and impact analysis\nwith them.\n\nImproved coordination between DHS\xe2\x80\x99 IPv6 program office and CBP officials will allow\nDHS to better manage its resources and avoid duplicating planning efforts. Effective\ncoordination with DHS\xe2\x80\x99 OneNet steward on key transition planning decisions will help\nensure that network security is not compromised during the transition.\n\nUnless DHS officials quickly address the challenges affecting its IPv6 transition, the\ndepartment risks not meeting OMB\xe2\x80\x99s June 30, 2008 milestone. Despite assurances from\nDHS officials that the department will meet OMB\xe2\x80\x99s deadline to transmit both IPv4 and IPv6\ntraffic by June 2008, we believe that the actions DHS has taken to date do not guarantee that\nthe department and its components can successfully demonstrate the capabilities required by\nOMB. As recently as December 2007, the OMB Deputy General Counsel said that agencies\nare expected to meet the June 2008 deadline and that no extension is anticipated. The intent\nof OMB M-05-22 is to ensure that the federal government is in a position to take advantage\nof the enhanced capabilities of IPv6 as IPv6-capable products and services become available.\n\nRecommendations\n\nTo strengthen DHS\xe2\x80\x99 IPv6 planning effort, we recommend the CIO:\n\n       1. Complete a comprehensive IPv6 inventory of all existing routers, switches,\n          hardware firewalls, applications, and other technologies department wide.\n\n       2. Finalize the transition plan with detailed interim milestones and a timeline for the\n          department to complete its transition to IPv6.\n\n       3. Determine which transition mechanism will be employed by DHS and verify this\n          new capability through testing activities.\n\n       4. Develops and issue necessary guidance for components to plan and align their\n          transition effort to IPv6 with the department\xe2\x80\x99s goals and implement a process to\n          monitor components\xe2\x80\x99 transition activities.\n\n             DHS Must Address Internet Protocol Version 6 Challenges\n\n                                             5\n\x0c       5. Ensure that the DHS IPv6 program office and CBP coordinate their planning and\n          transition efforts.\n\nManagement Comments And OIG Analysis\n\nDHS concurs with recommendation 1. DHS agrees that a complete inventory of IP devices\nand applications needs to be generated and an assessment needs to be made regarding the\nreadiness state of IPv6 capabilities. A strategy to complete a comprehensive IPv6 inventory\n(edge router to desktop) is under development for June 2008. Also, DHS will determine\nwhat devices and applications can be upgraded for IPv6 capabilities, and identify what needs\nto be replaced.\n\nWe accept DHS\xe2\x80\x99 response to complete a comprehensive inventory and to determine its state\nof IPv6 readiness.\n\nDHS concurs with recommendation 2. DHS will finalize a transition plan by September\n2008. The updated transition plan will be based on a CBP transition plan that will be\ncoordinated among technical and application transition work groups, and will include major\nmilestones. An integrated IPv6 transition schedule will still be needed and will be developed\nin coordination with component IPv6 transition plans to provide insights into the\ndependencies and the availability of required technical solutions. The integrated transition\nschedule is to be completed no later than March 2009.\n\nWe accept DHS\xe2\x80\x99 response to finalize its transition plan. We maintain that DHS needs to\noutline its interim milestones and a timeline for the department to complete its transition to\nIPv6.\n\nDHS concurs with recommendation 3. In March 2008, the IPv6 program office created a\nhigh-level DHS IPv6 Master Test Plan that identifies the operational criteria that need to be\nverified through a test and evaluation program. The criteria are intended to ensure that the\nselected transition mechanism will not impact operations. The criteria will be applied to\nIPv4 and IPv6 network transition techniques, such as dual stack and configured tunnels.\nProposals to use transition mechanisms during the transition period will be evaluated on a\ncase-by-case basis.\n\nWe accept DHS\xe2\x80\x99 response to identify, test, and evaluate IPv4 and IPv6 transition techniques\nto determine which mechanism will be employed by DHS.\n\nDHS concurs with recommendation 4. DHS will finalize and distribute IPv6 implementation\nguidance to enable the network steward and components to follow a common and\ncoordinated approach. The set of guidance documentation is targeted for completion in\nOctober 2008. These deliverables will support component planning efforts and the\ndevelopment of the integrated transition schedule that is to be competed by March 2009.\n\n\n\n\n              DHS Must Address Internet Protocol Version 6 Challenges\n\n                                             6\n\x0cWe accept DHS\xe2\x80\x99 response to distribute IPv6 guidance to the components to plan and align\ntheir transition efforts with the department\xe2\x80\x99s goals and implement a process to monitor\ncomponents\xe2\x80\x99 transition activities.\n\nDHS concurs with recommendation 5. Efforts are underway to create a common\nunderstanding of the department\xe2\x80\x99s IPv6 implementation plans. The department is\nestablishing technical and application transition work groups (to include the network steward\nand component representatives) to foster the planning and transition efforts. A technical\nworkgroup will initiate in July 2008 and an application work group will initiate in October\n2008.\n\nWe accept DHS\xe2\x80\x99 response to ensure that the DHS IPv6 program office and CBP coordinate\ntheir planning and transition efforts.\n\n*********************\n\nWe conducted our audit from September to November 2007 under the authority of the\nInspector General Act of 1978, as amended, and according to generally accepted government\naudit standards.\n\n\n\n\n             DHS Must Address Internet Protocol Version 6 Challenges\n\n                                            7\n\x0cAppendix A\nManagement Comments to the Draft Report\n\n\n\n\n           DHS Must Address Internet Protocol Version 6 Challenges\n\n                                     8\n\x0cAppendix A\nManagement Comments to the Draft Report\n\n\n\n\n          DHS Must Address Internet Protocol Version 6 Challenges\n\n                                    9\n\x0cAppendix A\nManagement Comments to the Draft Report\n\n\n\n\n          DHS Must Address Internet Protocol Version 6 Challenges\n\n                                    10\n\x0cAppendix B\nMajor Contributors to this Report\n\n\n\n\n       Edward G. Coleman, Director\n       Patrick Nadon, Audit Manager\n       Chiu-Tong Tsang, Audit Team Leader\n       Charles Twitty, Auditor\n       Nazia Khan, IT Specialist\n       Domingo Alvarez, Referencer\n\n\n\n\n              DHS Must Address Internet Protocol Version 6 Challenges\n\n                                        11\n\x0cAppendix C\nReport Distribution\n\n\n\n       Department of Homeland Security\n\n       Secretary\n       Deputy Secretary\n       Chief of Staff\n       Deputy Chief of Staff\n       General Counsel\n       Executive Secretariat\n       GAO/OIG Liaison Office\n       Assistant Secretary for Policy\n       Assistant Secretary for Legislative Affairs\n       Assistant Secretary for Public Affairs\n       Deputy Under Secretary for Management\n       Acting Chief Information Officer\n       Information Systems Security Manager\n       Executive Director, Information Technology Services Office\n       Compliance and Oversight Program Director\n       Chief Information Officer Audit Liaison\n       CBP Chief Information Officer\n       CBP Information Systems Security Manager\n       CBP Audit Liaison\n\n       Office of Management and Budget\n\n       Chief, Homeland Security Branch\n       DHS Program Examiner\n\n       Congress\n\n       Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n              DHS Must Address Internet Protocol Version 6 Challenges\n\n                                           12\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web\nsite at www.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of\ncriminal or noncriminal misconduct relative to department programs or\noperations:\n\n    \xe2\x80\xa2   Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2   Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2   Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2   Write to us at:\n          DHS Office of Inspector General/MAIL STOP 2600, Attention:\n          Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n          Washington, DC 20528.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'